State of the Internet The Need for a New Network Software-Defined Networking (SDN) Network Data Plane SDN Data Plane Technology: OpenFlow

Transcription

1

2 State of the Internet The Need for a New Network Software-Defined Networking (SDN) Network Data Plane SDN Data Plane Technology: OpenFlow SDN Tutorial 2

3 SDN Tutorial 3

4 Proposed in the late 1970s Open Systems Interconnection model: It characterizes and standardizes a communication system by dividing it into layers A layer serves the layer above it and is served by the layer below it Two major components: An abstract model of networking A set of protocols SDN Tutorial 4

5 OSI Model Data Unit Layer Function Host Layers Data 7. Application Network process to application 6. Presentation Data presentation, encryption and decryption 5. Session Interhost communication Segment 4. Transport Reliable delivery of packets Media Layers Packet/Datagram 3. Network Addressing, routing and delivery of datagrams Bit/Frame 2. Data Link Reliable direct P2P data connection Bit 1. Physical Direct P2P data connection SDN Tutorial 5

6 SDN Tutorial 6

7 The Internet Hourglass Applications Kazaa VoIP Mail News Video Audio IM U Tube Everything on IP Transport protocols TCP SCTP UDP ICMP Ossification IP Continued Innovations Ethernet Power lines IP on ATM everything Optical Link technologies Satellite Bluetooth SDN Tutorial 7

8 The trends driving the networking industry to reevaluate traditional network architecture: The explosion of mobile devices and content Server virtualization Advent of cloud services Traditional networks are hierarchical: Make sense for client-server computing Ill-suited to the dynamic computing and storage needs SDN Tutorial 8

9 The key computing trends driving for a new network paradigm: Changing traffic patterns: Instead of client-server communication, applications access multiple databases and servers across the entire network The consumerization of IT : Mobile devices are widely used which drive IT to accommodate these personal devices in a finegrained manner SDN Tutorial 9

10 The key computing trends driving for a new network paradigm: The rise of cloud services: Enterprises enthusiastically embraced both public and private cloud services The hunger for Big data : Mega datasets needs massive parallel processing on multiple servers, which need direct connection The constant demand for additional network capacity Maintain any-to-any connectivity SDN Tutorial 10

11 Limitations of current networking: Complexity leads to stasis: To add or move any device, IT must touch multiple switches, routers, firewalls, etc. Server virtualization has greatly altered assumptions about physical location of hosts Network static nature cannot dynamically adapt changing traffic, application, and user demand Inconsistent policies: Today s network makes it difficult for IT to apply consistent set of access, security, QoS, and other policies to increasingly mobile users SDN Tutorial 11

12 Limitations of current networking: Inability to scale: Network becomes very complex with the addition of thousands of network devices that must be configured and managed Dynamic traffic patterns cannot be handled with manual configuration Vendor dependence: Vendors equipment product cycles cannot adapt to the rapid changing network architecture in time Lack of standard, open interfaces limit the ability of network operators to tailor the network 12

13 The Need for a New Network To reinvent the Internet To develop a new network with similar magnitude as today s Internet but with more demanding and complex design goals and specifications Built with the usage of emerging new technologies in the area of computer networking SDN Tutorial 13

14 State of The Internet The Internet is great at what it does, but.. Security is weak Availability/Reliability is an issue Instrumentation is weak Predictability is weak Manageability is an issue Mobility is not well supported Sensing is not well supported Scalability is an issue Our critical infrastructures cannot rely on it! Persistent problems not solvable by incremental improvements to the current Internet New Paradigms may prove more powerful, providing the basis for a superior Future Internet SDN Tutorial 14

15 Global networks are creating extremely important new challenges Science Issues We cannot currently understand or predict the behavior of complex, large-scale networks Innovation Issues Substantial barriers to at-scale experimentation with new architectures, services, and technologies Society Issues Credit: MONET Group at UIUC We increasingly rely on the Internet but are unsure we can trust its security, privacy or resilience SDN Tutorial 15

16 Software Defined Networking SDN Tutorial 16

17 What is SDN? An architectural approach that optimizes and simplifies network operation by: Decoupling the control plane and the data plane Control plane: the system that makes decision about where traffic is sent Data plane: the system that forwards traffic to the selected destination Evolved from the work done by UC Berkeley and Stanford University (Network managing project) SDN Tutorial 17

18 SDN Tutorial 18

19 What is SDN? Achieved by employing a point of logically centralized network control (SDN Controller) It facilitates the communication between applications and network elements It exposes and abstracts network functions and operations via programmable interface Gain vendor-independent control over the entire network from a single logical point SDN Tutorial 19

20 Today: Closed Boxes, Fully Distributed Protocols SDN Tutorial 20

21 SDN was implemented to open it SDN Tutorial 21

22 The Software-defined Network SDN Tutorial 22

23 SDN Tutorial 23

24

25 The part of the router architecture, also called Forwarding plane It handles incoming datagrams through a series of link-level operations Datagram is processed in the data plane by performing lookup in the FIB table programmed by control plane Fast path packet processing due to no further learning process needed SDN Tutorial 25

26 One exception to this process when packets cannot be matched to rules Unknown destination detected Packets are sent to router processor where control plane can process FIB table can be implemented in varies ways: Software Hardware-accelerated software Hardware SDN Tutorial 26

27 > 1K entries Each cell takes three logic states 0, 1, and? (don t care) Fully associative memory: compares input string with all the entries in parallel If multiple matches, report index of the first match Current TCAM technology Fast Match Time: 4-8 ns Size: 1M 1K entries * 1K bytes per entry 2K entries * 512 bytes per entry Input TCAM A B C D C D E F A B C? A B?? k bytes Match 27

28 High-performance routers often have multiple distributed forwarding elements Increases performance with parallel processing Besides the forwarding decision, the data plane may implement some small features (forwarding features) Access Control List (ACL) Quality of Service (QoS) Policy SDN Tutorial 28

29 The data plane have to do some level of datagram header rewrite SDN Tutorial 29

30 Two-stage lookups in multislot/card system: 1 st stage at ingress identifies the outgoing slot/card 2 nd stage at egress performs secondary lookup This can enable an optimization called localization to reduce the egress FIB size SDN Tutorial 30

31 Scalability Issues: The service card are limited to a certain amount of flow state they can support for certain generation of the card The significant lag between the availability of a new family of processors and new service cards that use that innovation The control card memories have processing limitations based on the generation of the CPU complex Cost SDN Tutorial 31

32 SDN Tutorial 32

33 SDN Tutorial 33

34 A communications protocol that allows the path of network packets through the switches to be determined by software running on multiple routers It was originally developed by Stanford University as part of network research Creation of experimental protocols Ultimate goal: Replace the functionality of layer 2 and layer 3 protocols completely in commercial switches and routers SDN Tutorial 34

35 The key components of the OpenFlow: Separation of the control and data planes Using a standardized protocol between controller and an agent for instantiating state Providing network programmability from a centralized view via API It is a set of protocols and an API The controller does nothing without an application program SDN Tutorial 35

36 Link Aggregation Control Protocol Rapid Spanning Tree Protocol Open Shortest Path First SDN Tutorial 36

37 Switch Components: Main components of an OpenFlow switch: Consists of one or more flow tables and a group table, used to perform packet lookup and forwarding An OpenFlow channel to an external controller Controller manages the switch via the OpenFlow protocol SDN Tutorial 37

38 Switch Components: The controller can add, update, and delete flow entries in flow tables Each flow table contains a set of flow entries; each flow entry consists of: Match fields, counters, and set of instructions Matching starts at the first flow table and may continue to additional flow tables Flow entries match packets in priority order, with the first matching entry being used SDN Tutorial 38

39 SDN Tutorial 39

40 Packet Flow Flowchart SDN Tutorial 40

41 Switch Components: If a matching entry found, the instructions associate with the specific flow entry are executed If no match found, the outcome depends on configuration of the table-miss flow entry: The packet may be forwarded to the controller, dropped, or may continue to next flow table Instruction associated with each flow entry either contain actions or modify pipeline processing SDN Tutorial 41

42 Switch Components: Actions included in instructions describe packet forwarding, packet modification and group table processing Pipeline processing instructions allow packets to be sent to subsequent tables for further processing Pipeline processing stops when the instruction set associated with a matching flow entry doesn t specify a next table At this point the packet is usually modified and forwarded SDN Tutorial 42

43 Switch Components: Flow entries may forward to a port, usually a physical port, but it could also be a logical port defined by the switch or a reserved port defined by the specification Actions associated with flow entries may also direct packets to a group, which specifies additional processing Groups represent sets of actions for flooding and more complex forwarding semantics (multipath, fast reroute, and link aggregation) SDN Tutorial 43

44 Switch Components: Groups also enable multiple flow entries to forward to a single identifier Group table contains group entries: Each group entry contains a list of action buckets with specific semantics dependent on group type SDN Tutorial 44

45 Example of Nested Flows From Foundations of Modern Networking: SDN, NFV, QoE, IoT, and Cloud by William Stallings ( ) Copyright 2016 Pearson Education, Inc. All rights reserved.

46 Group Types From Foundations of Modern Networking: SDN, NFV, QoE, IoT, and Cloud by William Stallings ( ) Copyright 2016 Pearson Education, Inc. All rights reserved.

47 Goal: Evangelize OpenFlow to vendors Free membership for all researchers Whitepaper, OpenFlow Switch Specification, Reference Designs Licensing: Free for research and commercial use SDN Tutorial 47

48 SDN Tutorial 48

49 A network emulator emulates a collection of end-hosts, switches, routers, and links on a single Linux kernel Uses lightweight virtualization to make a single system look like a complete network Commonly used as an emulation, verification, testing tool, and resource SDN Tutorial 49

50 Represents a shell of a machine that arbitrary programs can be plugged into and run The measured performance of a Mininet-hosted network often should approach that of actual (non-emulated) switches, routers, and hosts Allows full topologies and packet forwarding customization SDN Tutorial 50

51 Internally, Mininet employs lightweight virtualization features in the Linux kernel, including process groups, CPU bandwidth isolation, and network namespaces, and combines them with link schedulers and virtual Ethernet links. Isolated Hosts. An emulated host in Mininet is a group of user-level processes moved into a network namespace Linux network namespaces Emulated Links. The data rate of each link is enforced by Linux Traffic Control (tc), which has a number of packet schedulers to shape traffic to a configured rate Linux tc feature Emulated Switches. Mininet typically uses the default Linux bridge or Open vswitch running in kernel mode to switch packets across interfaces Linux Open vswitch (OVS) SDN Tutorial 51

52 SDN Tutorial 52

53 The easiest way is to download prepackaged Mininet/Ubuntu VM Included Mininet, all OpenFlow binaries and tools, and tweaked kernel Download and install a virtualization system Recommend VirtualBox ads SDN Tutorial 53

54 Import VM: Add the VM and start it up, in the virtualization program you choose VirtualBox: Import the OVF file, select settings, and add an additional host-only network adapter VMware: Import the OVF file, then start the VM Qemu/KVM: Convert the VMDK to QCOW2 format first qemu-img convert O qcow2 filename.vmdk filename.qcow2 SDN Tutorial 54

55 VirtualBox: Import SDN Tutorial 55

56 VirtualBox: Open downloaded VOF file: SDN Tutorial 56

57 VirtualBox: Click next after you chose the location SDN Tutorial 57

58 VirtualBox: Review the VM configuration and Import SDN Tutorial 58

59 VirtualBox: Make sure your VM has two network interfaces: NAT interface: It can use to access the Internet It should be eth0 and have a 10.X IP address Host-only interface: Used to communicate with host machine It should be eth1 with X IP address Both interfaces should be configured using DHCP, if not, run: $ sudo dhclient ethx Replacing ethx with the name of downed interface SDN Tutorial 59

60 VirtualBox: Select the imported VM and click Settings SDN Tutorial 60

61 VirtualBox: In the network, add an additional host-only network adapter and click Ok SDN Tutorial 61

62 VirtualBox: Log in to VM, use following username and password: mininet-vm login: mininet Password: mininet Command syntax: $: precedes Linux commands that should be typed at the shell prompt mininet>: precedes Mininet commands that should be typed at Mininet s CLI #: precedes Linux commands that re typed at a root shell prompt SDN Tutorial 62

63 Mac OS and Linux: Open a terminal. Run following in terminal: $ ssh X [user]@[guest IP Here] Replace [user] with the correct username Replace [Guest IP] with the IP you just noded Enter the password for your VM image Try to start up the X terminal using $ xterm SDN Tutorial 63

64 Windows: In order to use X11 applications such as xterm and wireshark, the Xming server must be running Download and install Xming Start Xming by double-clicking its icon Make an ssh connection with X11 forwarding enabled SDN Tutorial 64

65 Windows: To enable X11 forwarding from PuTTY GUI, click PuTTY -> Connection -> SSH -> X11, then click on Forwarding Enable X11 Forwarding SDN Tutorial 65

66 Windows - Alternative: Run X11 in the VM console window: First, log in to the VM in its console window and make sure apt is up to date sudo apt-get update Then install the desktop environment of your choice: sudo apt-get install xinit <environment> <environment> is you GUI of choice lxde: a reasonable compact and fast desktop GUI flwm: a smaller but more primitive desktop GUI ubuntu-desktop: the full, heavyweight ubuntu GUI Then you can start X11 in the VM: startx SDN Tutorial 66

67 Development Environment: OpenFlow Controller: Sits above the OpenFlow interface Executed during the simulation and observe messages being sent OpenFlow Switch: Sits below the OpenFlow interface A user-space software switch dpctl: Command-line utility that sends quick OpenFlow messages Useful for viewing switch port stats SDN Tutorial 67

68 Development Environment: Wireshark: General graphical utility for viewing packets Dissector parses OpenFlow messages sent to OpenFlow default port in a readable way iperf: General command-line utility for testing the speed of a single TCP connection cbench: Utility for testing the flow setup rate of OpenFlow controllers SDN Tutorial 68

69 SDN Tutorial 69

70 Create the network in VM, enter (SSH): & sudo mn topo single,3 --mac -- switch ovsk --controller remote This tells Mininet to start up 3-host, single switch topology, set the MAC address: Created 3 virtual hosts, each with a separate IP address Created a single OpenFlow software switch in the kernel with 3 ports Connected each virtual host to the switch with a virtual Ethernet cable Set the MAC address of each host equal to its IP Configure the switch to connect to a controller SDN Tutorial 70

71 Mininet-specific basic commands: Lists available nodes, run: mininet> nodes Lists all available commands, run: mininet> help Runs a single command on a node, ex: check the IP of a virtual host: mininet> h1 ifconfig Running interactive commands and watching debug output: mininet> xterm h1 h2 SDN Tutorial 71

72 dpctl example usage (SSH terminal): It enables visibility and control over a single switch s flow table, useful for debugging by viewing flow state and flow counters To dump out port state and capabilities: $ dpctl show tcp: :6634 More useful command: $ dpctl dump-flows tcp: :6634 SDN Tutorial 72

73 Ping test: Let s go back to the mininet console and try to ping h2 from h1: mininet> h1 ping c3 h2 The ping should fail due to the switch flow table is empty, and there is no controller connected to the switch Manually install the necessary flows by using dpctl: $ dpctl add-flow tcp: :6634 in_port=1, actions=output:2 $ dpctl add-flow tcp: :6634 in_port=2, actions=output:1 SDN Tutorial 73

74 SDN Tutorial 74

75 Ping test: Run the ping command again and you should get the replies If you didn t see any ping replies, it might be the case that the flow-entries expired before you start your ping test, the default idle_timeout is 60 seconds We can manually modify the idle_timeout by running: $ dpctl add-flow tcp: :6634 in_port=1,idle_timeout=120,actions=out put:2 SDN Tutorial 75

76 Running Wireshark: The VM image includes the OpenFlow Wireshark dissector pre-installed To open Wireshark: $ sudo wireshark & Set up a filter for OpenFlow control traffic by typing of in Filter box near the top Press the apply button to apply the filter to all recorded traffic SDN Tutorial 76

77 Start controller and view messages With the Wireshark dissector listening, start the OpenFlow controller (SSH terminal): $ controller ptcp: This starts a simple controller that acts as a learning switch without installing any flowentries You should see number of messages displayed in Wireshark, from the Hello exchange messages and so on SDN Tutorial 77

78 Start controller and view messages Hello Hello Message Type Description Features Request Set Config Features Reply Controller->Switch Switch->Controller Controller->Switch Controller->Switch Switch->Controller Like TCP handshake, the controller sends its version number to the switch The switch replies with its supported version number The controller asks to see which ports are available Controller asks the switch to send flow expirations Switch replies with a list of ports, port speed, and supported tables and actions SDN Tutorial 78

79 Benchmark controller w/iperf: iperf is a command-line tool for checking speeds between two computers In the mininet console, run: mininet> iperf This command runs an iperf TCP server on one virtual host, then runs an iperf client on a second virtual host, once connected, they transfer packets with each other and report the results SDN Tutorial 79